Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Multisafe USPC Contracts>Medium findings>Flawed Pause Logic
GeneralOverview
Findings
Critical (1)
Medium (3)Missing price staleness check in IUSPCHub.vaultSubscription and IUSPCHub.vaultRedemptionIncorrect implementation of USPC._checkMinShares causes DOS.Flawed Pause Logic
Low (2)
Threat ModelWhat are threat models?IUSPCHub.solUSPC.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Flawed Pause Logic

Medium Impact
Medium Severity
Medium Likelihood

Description

The contract implementation contains faulty pause logic.

  • The _update function in USPC does not have whenNotPaused modifier.

  • Price reading functions (e.g., getLatestPrice) are protected by whenNotPaused modifier, but price management functions (addPrice, updatePrice) are not.

  • The processRedemptions function applies only the global whenNotPaused modifier. However, the validation for the redemptionPaused flag has been omitted.

Impact

This incorrect logic renders the pause mechanism ineffective, resulting in a loss of control in emergency scenarios.

Recommendations

We recommend to add missing whenNotPaused modifier and redemptionPaused check.

Remediation

This issue has been acknowledged by Coinshift, and a fix was implemented in commit d14d8915.

Zellic © 2025Back to top ↑